IBM R&D Labs in Israel News

Who stole the cookies? Active attacks from trusted web sites

Even trusted web sites can leave your computer vulnerable to attacks

It’s no secret that hackers can steal your sensitive information by ‘listening in’ as you surf various sites—especially when you’re connecting from a non-trusted network like an Internet café or an unsecured wireless connection. Most of us already take precautions regarding usernames, passwords, or credit card information when we log in through this kind of connection. But we’ve always felt secure when we innocently surf sites that supply news, weather, or sports information. Not so, says a team of engineers in the Rational Application Security group at the IBM Israel Software Lab. New research done by the team, who is in charge of the core testing techniques of IBM's Rational AppScan tool, discovered that surfing even these seemingly harmless sites can leave your computer vulnerable to security attacks—enabling hackers to collect information stored in your browser and ultimately wreak havoc. Furthermore, the team has showed how an attacker could penetrate local intranet networks using the new class of attacks.

The man in the middle
“The well-known 'man in the middle' scenario is a form of passive attack,” explained Adi Sharabani, manager of security research for the Rational AppScan team in Israel. “The hacker sits and waits until the victim visits a sensitive web site and then steals information such as cookies from his browser.” Sensitive sites include those where you input personal details, such as Gmail, Hotmail, eBay, Amazon, banking sites, and so forth.

“The new threat, referred to as the ‘active attack’, occurs when the ‘man in the middle’ actively steals information from your browser—without having to wait (passively) for you to enter sensitive information using a non-trusted connection,” continued Sharabani. Let’s say you visit a site offering weather forecasts. Using this new kind of ‘active’ attack, the hacker can inject a visible or invisible frame that connects to your bank site. As soon as you open the weather site, the browser is designed to open the frame and automatically send a request to the bank. When you connected to your bank site in previous sessions, the site left cookies in your browser. Cookies serve as means of saving information about you, so a site can identify you without actually making you re-log in or redefine your preferences. These cookies, and the information they contain, now become available to the hacker.

“Basically, any time I want to get a cookie from a specific site, all I have to do is intervene and open a connection between the victim’s browser and the site for which I want their details,” explained Sharabani. “Once the connection is open, the browser automatically sends the cookie to me.” In short, your browser can actively expose your personal information and send it to a hacker—even while you are surfing seemingly innocent news, weather, or sports sites where you aren't entering usernames or passwords.

With an active attack, an attacker can also send your browser a script that peeks at your personal information. Once the details of your previous sessions with your bank or e-shops are discovered, the script can get past even more sophisticated security arrangements used by web sites or company intranets to carry out fraudulent activities, all while your bank thinks you are the one connecting.

Moreover, using the active attack methods, it is possible to extend the duration of the attack to a future time. Not only can hackers steal information connected to your past sessions on the web, including cookies or form fillers, but they can also use scripts to grab information you enter in the future—even inside your company’s network.

How can you protect yourself?
“There are a number of ways to create a safer and more trusted environment,” noted Sharabani. “The attack either targets information from past browsing sessions or plants a script that will steal information in the future. If you erase your cookies, cache files, and form filler information before and after you log into an untrusted network, you render the attacks useless.”

The inconvenience of re-entering commonly used details can be mitigated using two separate browsers for each network type. One browser, say, Mozilla Firefox, can be used for trusted networks, such as our home networks or company LANs. Another browser, like Google Chrome, can be intended for untrusted ones, such as Internet cafés or public wireless networks. Once you make this distinction, you will not need to erase all cookies and caches before and after each session on an untrusted network. Since separate browsers don’t share information with each other, this enables us to keep cookies, automatic form fillers, and other personal information in one browser, while maintaining a browser with no useful information in case of an active attack.

The Rational AppScan team continues to work on overcoming new security vulnerabilities. Last week, Sharabani shared his insights on these new discoveries with peers at the OWASP conference in Australia, the premier application security event in Asia Pacific.

Protect your browser:

Avoid using untrusted networks.

Use two separate browsers-one for trusted networks and the other for untrusted.

Avoid using form fillers.

If you don't use separate browsers, erase cookies and cache files before and after connecting via untrusted networks.